Alex Williamson/Getty

STICKUP

Hackers Cripple Hospitals With Stolen NSA Malware

A massive global cyberattack exploiting a flaw in Windows has shut down hospitals and put patients at risk.

05.12.17 9:40 PM ET

Alex Williamson/Getty

A fast-spreading internet worm enriched with stolen NSA hacking code wreaked havoc Friday, ripping through thousands of organizations in at least 74 countries, crippling some hospitals, utilities, businesses and government agencies in an online extortion scheme that’s graduated to a near internet disaster.

Called “WannaCry,” the malware infects vulnerable Windows machines, encrypts everything, and presents the victim with a multilingual pop-up message demanding a $300 in BitCoin in exchange for the safe return of the files. Ransomware attacks like these are commonplace. What makes this one different is that someone welded the ransomware chassis to a sophisticated Windows exploit that leaked from the National Security Agency last month. Now the supercharged result is spreading under its own power, using each infected computer as a springboard to launch more infections.

The worst known impact so far is in Britain, where computer systems across the National Health service (NHS) were paralyzed by the malware, putting lives at risk across the country. More than 40 healthcare trusts across Britain reported outages after the attack although it’s unclear how many were directly affected and how many closed down their systems pre-emptively. The outages left thousands of doctors unable to access patient data, emergency rooms were shut down and ambulances re-directed. Some hospitals were forced to cancel crucial x-ray, MRI and CT scans while others were forced to treat patients without access to radiology test results or information about blood-types.

People were warned not to use some hospitals unless it was an absolute emergency.

Antiquated computing systems may have NHS uniquely vulnerable to WannaCry. Windows XP machines are still commonplace in the organization, a sprawling bureaucracy that relies heavily on the sharing of vast quantities of sensitive data. One doctor texted: “Some of our computers with internet capability run Windows ’95 FFS!”

WannaCry exploits an vulnerability in Windows that was revealed last month by a mysterious gang of hackers calling themselves the Shadow Brokers. Since last August, the Shadow Brokers have been periodically releasing top secret documents and hacking code belonging to the National Security Agency’s elite Tailored Access Operations program, which penetrates foreign computers to gather intelligence.

In their most recent dump last month the Shadow Brokers exposed the code for a sophisticated NSA toolkit targeting Windows machines. The most serious tool in the files was an exploit called EternalBlue that the NSA had ben using to hack into Windows machines. Hackers quickly adopted the code for their own purposes, culminating it today’s ransomware attack that makes use of the same exploit.

Microsoft released a Windows update in March that patches the EternalBlue security hole, but Windows machines that haven’t downloaded the update are likely vulnerable to WannaCry, which some security experts are already calling the most serious internet outbreak since the 2008 Conficker worm, which infected an estimated 9 million machines at its peak, and still hasn’t been entirely eradicated. “The last time the industry really freaked out about a worm was Conficker, and this is akin to that,” says Robert M. Lee, founder of the cyber security firm Dragos. “I don’t think it’s going to slow down any time soon.”

If there’s a bit of hope, it comes from a curious feature in the attack code that was first noted on Friday by Darien Huss, a security researcher at Proofpoint. It turns out that upon infecting a new target, WannaCry tries to contact a server at a particular domain name— a dot-com address consisting of a long string of gobbledygook letters and numbers ending in “gwea.com”.

If it’s not able to reach that address, WannaCry begins its dirty work of taking files hostage and looking for places to spread. But if it is able to connect, it shuts itself down immediately. The mechanism was likely coded by the malware’s creator as an emergency stop button, in case the worm began behaving in unexpected ways.

The hacker, though, didn’t register the gwea.com domain name. On Friday morning, a 22-year-old UK security researcher known online as MalwareTech noticed the address in WannaCry’s code and found that it was still available. “I saw it wasn’t registered and thought, ‘I think I’ll have that,’” he says. He purchased it at NameCheap.com for $10.69, and pointed it at a “sinkhole” server in Los Angeles, hoping to gather information on the malware. “Immediately we saw 5 or 6 thousand connections a second.”

He’s been using the data to track infections in real time—so far his server has been contacted by 78,000 infected Windows machines around the world. But his tracking also shows the infection rate is slowing down. It’s too soon to say with certainty, but by answering connections from WannaCry, the UK researcher appears to be activating its self-destruct. “Completely by accident,” he says.

Get The Beast In Your Inbox!

Daily Digest

Start and finish your day with the top stories from The Daily Beast.

Cheat Sheet

A speedy, smart summary of all the news you need to know (and nothing you don't).

You are now subscribed to the Daily Digest and Cheat Sheet. We will not share your email with anyone for any reason.

“If we did stop it, there’s like a hundred percent chance they’re going to fire up a new sample and start that one again,” he says. “As long as people don’t patch it’s just going to keep going.”

In London, one of the facilities where computers were convulsed by WannaCry was St Bartholomew’s Hospital in Central London, which runs the specialist “hot-angio” service that treats heart attack patients from other hospitals all over London.

An internal NHS staff alert seen by the Daily Beast warned other hospitals in London that urgent treatment could still be carried out at Barts but only when crucial patient data was manually downloaded “please could you burn a disc to send it with the patient.”

A healthcare assistant in Barts’ cardiology department said the announcement to shut down the entire online computer network sent a surge of alarm through the hospital.

“It is scary,” he told The Daily Beast. “Our managers told us to shut down every computer as hackers were trying to get in… Major heart surgeries had to be cancelled as the computers required to monitor the heart and arteries post-op were switched off.”

“We were still able to give care to our patients but the whole system runs on those computers. People were being diverted from here and we have no idea when the system will be back working.”

Computer screens in hospitals all over Britain had flashed red and warned: “Ooops, your files have been encrypted!”

Prime Minister Theresa May said the National Cyber Security Centre was working to restore computer access to the NHS. It is unclear when the systems will be restored, but she said: “We are not aware of any evidence that patient data has been compromised.”

At press time three of the BitCoin addresses used as ransom drops had accumulated 3.7 BTC worth $ 9377.24.